The vulnerability allowed attackers to override an important security measure.

Apple has updated OS X to patch more than a dozen security flaws, including one that allowed attackers to exploit Web-based Java flaws even when end users had disabled the widely abused browser plugin.

The CoreTypes vulnerability in OS X Lion and Mountain Lion posed a threat because it undermined widely repeated advice for Mac users to disable Java in browser plugins. The measure is designed to repel a surge of attacks that exploit vulnerabilities in the Oracle-controlled software. Criminal hackers use them to surreptitiously install malware when computers visit booby-trapped websites. According to a bulletin accompanying Thursday's OS X update, attackers could override the protective measure by manipulating the Java Network Launching Protocol, or JNLP, which allows applications to launch directly from a browser.

"Visiting a maliciously crafted website could allow a Java Web Start application to be launched automatically even if the Java plug-in is disabled," the bulletin explained. "Java Web Start applications would run even if the Java plug-in was disabled. This issue was addressed by removing JNLP files from the CoreTypes safe file type list, so the Web Start application will not be run unless the user opens it in the Downloads directory."

CVE-2013-0967, as the vulnerability is officially cataloged, was one of almost two dozen security flaws fixed in the Lion or Mountain Lion versions of OS X. Other bugs that were fixed allowed attackers to execute malicious code by tricking end users into viewing specially manipulated PDF files or QuickTime videos.

I didn't have time to look into the specifics but I quickly booted up a clean up-to-date Snow Leopard system at work to try it out and found that automatic launching of JNLP files (also known as Java Web Start applications) is disabled by default in the Java Preferences.

The bulletin linked in the article details the latest batch of security fixes. The vulnerabilities affect various combinations of 10.6, 10.7, and 10.8. The fixes for 10.8 were delivered via the 10.8.3 update; for 10.7 and 10.6 via Security Update 2013-001.

...To disable Java, search for Java Preferences and uncheck all three on the General pane.

To disable Java in the browsers (biggest security risk) head to each browsers preferences or add-ons.

Don't disable Javascript, that's not Java.

Ok, thanks. Yer apparently experienced, but this. As is likely the case with many others, we have some *essential* sites that depend upon Java (yep, not Javascript: I know the difference). Oracle has its foot in corporate mainframes. Kissy, kissy. Medical, financial, and a few government sites. If we disable as you suggest, does the browser do us the courtesy of *prompting* for a temporary enable? And do we need to keep up with Java updates *just for the sake of these sites*? (Wotta hassle.)

Steve Jobs may well reincarnate as a mouse, albeit a frickin laser mouse with 3 buttons where the middle button automatically uninstalls Java & Flash and sends an image of the Buddha giving a 1 finger salute via email to Sun and Adobe.

Steve Jobs may well reincarnate as a mouse, albeit a frickin laser mouse with 3 buttons where the middle button automatically uninstalls Java & Flash and sends an image of the Buddha giving a 1 finger salute via email to Sun and Adobe.

You can say what you want, but he was right about Java and Flash.

No matter how cool a technology is what counts is how it is used and its mostly used for ads and malware.

Snow Leopard is still supported? I didn't thought so seeing safari wasn't updated.

Apple needs to be very careful about dropping support too quickly for older software, and hardware. A good example being Aperture 3, which I bought when I was using Snow Leopard on my 2008 iMac. All of sudden a 3.x update showed up that dropped support for Snow Leopard. Lion, and Mountain Lion, bogged down the Mac too much so I decided to stay with Snow Leopard making the Aperture that I bought no longer capable of receiving updates, which was very upsetting.

I could understand, maybe, doing that with a totally new version 4 but this put a really bad taste in my mouth for sticking with Aperture and even made question buying future Macs and iOS devices, which is saying a lot as I am a very big fan of Apple's products. I ended up buying Adobe's Lightroom because Adobe didn't drop support for Snow Leopard and because Adobe does a much better job of supporting their photo software. Sad, but true.